diff options
65 files changed, 808 insertions, 274 deletions
@@ -1,3 +1,407 @@ +Changes in version 0.4.7.16 - 2023-11-03 + We are releasing today a fix for a high security issue, TROVE-2023-004, that + is affecting relays. Please upgrade as soon as posssible. + + o Major bugfixes (TROVE-2023-004, relay): + - Mitigate an issue when Tor compiled with OpenSSL can crash during + handshake with a remote relay. Fixes bug 40874; bugfix + on 0.2.7.2-alpha. + + o Minor features (fallbackdir): + - Regenerate fallback directories generated on November 03, 2023. + + o Minor features (geoip data): + - Update the geoip files to match the IPFire Location Database, as + retrieved on 2023/11/03. + + +Changes in version 0.4.7.15 - 2023-09-18 + This version contains an important fix for onion service regarding congestion + control and its reliability. Apart from that, very minor bugfixes. We + strongly recommend all onion service operators to update immediately. + + o Major bugfixes (onion service): + - Fix a reliability issue where services were expiring their + introduction points every consensus update. This caused + connectivity issues for clients caching the old descriptor and + intro points. Bug reported and fixed by gitlab user + @hyunsoo.kim676. Fixes bug 40858; bugfix on 0.4.7.5-alpha. + + o Minor features (fallbackdir): + - Regenerate fallback directories generated on September 18, 2023. + + o Minor features (geoip data): + - Update the geoip files to match the IPFire Location Database, as + retrieved on 2023/09/18. + + o Minor features (testing): + - Enable Doxygen and Stem tests for 0.4.8 and clean-up some logic + for handling versions of Tor that are no longer supported. Closes + ticket 40859. + + o Minor bugfixes (compression): + - Right after compression/decompression work is done, check for + errors. Before this, we would consider compression bomb before + that and then looking for errors leading to false positive on that + log warning. Fixes bug 40739; bugfix on 0.3.5.1-alpha. Patch + by "cypherpunks". + + o Minor bugfixes (compression, zstd): + - Use less frightening language and lower the log-level of our run- + time ABI compatibility check message in our Zstd compression + subsystem. Fixes bug 40815; bugfix on 0.4.3.1-alpha. + + +Changes in version 0.4.7.14 - 2023-07-26 + This version contains several minor fixes and one major bugfix affecting + vanguards (onion service). As usual, we recommend upgrading to this version + as soon as possible. + + o Major bugfixes (vanguards): + - Rotate to a new L2 vanguard whenever an existing one loses the + Stable or Fast flag. Previously, we would leave these relays in + the L2 vanguard list but never use them, and if all of our + vanguards end up like this we wouldn't have any middle nodes left + to choose from so we would fail to make onion-related circuits. + Fixes bug 40805; bugfix on 0.4.7.1-alpha. + + o Minor feature (CI): + - Update CI to use Debian Bullseye for runners. + + o Minor feature (lzma): + - Fix compiler warnings for liblzma >= 5.3.1. Closes ticket 40741. + + o Minor features (directory authorities): + - Directory authorities now include their AuthDirMaxServersPerAddr + config option in the consensus parameter section of their vote. + Now external tools can better predict how they will behave. + Implements ticket 40753. + + o Minor features (fallbackdir): + - Regenerate fallback directories generated on July 26, 2023. + + o Minor features (geoip data): + - Update the geoip files to match the IPFire Location Database, as + retrieved on 2023/07/26. + + o Minor bugfix (relay, logging): + - The wrong max queue cell size was used in a protocol warning + logging statement. Fixes bug 40745; bugfix on 0.4.7.1-alpha. + + o Minor bugfixes (compilation): + - Fix all -Werror=enum-int-mismatch warnings. No behavior change. + Fixes bug 40824; bugfix on 0.3.5.1-alpha. + + o Minor bugfixes (metrics): + - Decrement hs_intro_established_count on introduction circuit + close. Fixes bug 40751; bugfix on 0.4.7.12. + + o Minor bugfixes (sandbox): + - Allow membarrier for the sandbox. And allow rt_sigprocmask when + compiled with LTTng. Fixes bug 40799; bugfix on 0.3.5.1-alpha. + + +Changes in version 0.4.7.13 - 2023-01-12 + This version contains three major bugfixes, two for relays and one for + client being a security fix, TROVE-2022-002. We have added, for Linux, the + support for IP_BIND_ADDRESS_NO_PORT for relays using OutboundBindAddress. + We strongly recommend to upgrade to this version considering the important + congestion control fix detailed below. + + o Major bugfixes (congestion control): + - Avoid incrementing the congestion window when the window is not + fully in use. Thia prevents overshoot in cases where long periods + of low activity would allow our congestion window to grow, and + then get followed by a burst, which would cause queue overload. + Also improve the increment checks for RFC3742. Fixes bug 40732; + bugfix on 0.4.7.5-alpha. + + o Major bugfixes (relay): + - When opening a channel because of a circuit request that did not + include an Ed25519 identity, record the Ed25519 identity that we + actually received, so that we can use the channel for other + circuit requests that _do_ list an Ed25519 identity. (Previously + we had code to record this identity, but a logic bug caused it to + be disabled.) Fixes bug 40563; bugfix on 0.3.0.1-alpha. Patch + from "cypherpunks". + + o Major bugfixes (TROVE-2022-002, client): + - The SafeSocks option had its logic inverted for SOCKS4 and + SOCKS4a. It would let the unsafe SOCKS4 pass but not the safe + SOCKS4a one. This is TROVE-2022-002 which was reported on + Hackerone by "cojabo". Fixes bug 40730; bugfix on 0.3.5.1-alpha. + + o Minor feature (authority): + - Reject 0.4.6.x series at the authority level. Closes ticket 40664. + + o Minor features (fallbackdir): + - Regenerate fallback directories generated on January 12, 2023. + + o Minor features (geoip data): + - Update the geoip files to match the IPFire Location Database, as + retrieved on 2023/01/12. + + o Minor features (relays): + - Set the Linux-specific IP_BIND_ADDRESS_NO_PORT option on outgoing + sockets, allowing relays using OutboundBindAddress to make more + outgoing connections than ephemeral ports, as long as they are to + separate destinations. Related to issue 40597; patch by Alex + Xu (Hello71). + + o Minor bugfixes (relay, metrics): + - Fix typo in a congestion control label on the MetricsPort. Fixes + bug 40727; bugfix on 0.4.7.12. + + o Minor bugfixes (sandbox, authority): + - With the sandbox enabled, allow to write "my-consensus- + {ns|microdesc}" and to rename them as well. Fixes bug 40729; + bugfix on 0.3.5.1-alpha. + + o Code simplifications and refactoring: + - Rely on actual error returned by the kernel when choosing what + resource exhaustion to log. Fixes issue 40613; Fix + on tor-0.4.6.1-alpha. + + +Changes in version 0.4.7.12 - 2022-12-06 + This version contains a major change that is a new key for moria1. Also, new + metrics are exported on the MetricsPort for the congestion control + subsystem. + + o Directory authority changes (moria1): + - Rotate the relay identity key and v3 identity key for moria1. They + have been online for more than a decade and refreshing keys + periodically is good practice. Advertise new ports too, to avoid + confusion. Closes ticket 40722. + + o Minor feature (Congestion control metrics): + - Add additional metricsport relay metrics for congestion control. + Closes ticket 40724. + + o Minor features (fallbackdir): + - Regenerate fallback directories generated on December 06, 2022. + + o Minor features (geoip data): + - Update the geoip files to match the IPFire Location Database, as + retrieved on 2022/12/06. + + o Minor bugfixes (cpuworker, relay): + - Fix an off by one overload calculation on the number of CPUs being + used by our thread pool. Fixes bug 40719; bugfix on 0.3.5.1-alpha. + + +Changes in version 0.4.7.11 - 2022-11-10 + This version contains several major fixes aimed at helping defend against + network denial of service. It is also extending drastically the MetricsPort + for relays to help us gather more internal data to investigate performance + and attacks. + + We strongly recommend to upgrade to this version especially for Exit relays + in order to help the network defend against this ongoing DDoS. + + o Directory authority changes (dizum, Faravahar): + - Change dizum IP address. Closes ticket 40687. + - Remove Faravahar until its operator, Sina, set it back up online + outside of Team Cymru network. Closes ticket 40688. + + o Major bugfixes (geoip data): + - IPFire informed us on August 12th that databases generated after + (including) August 10th did not have proper ARIN network + allocations. We are updating the database to use the one generated + on August 9th, 2022. Fixes bug 40658; bugfix on 0.4.5.13. + + o Major bugfixes (onion service): + - Set a much higher circuit build timeout for opened client rendezvous + circuit. Before this, tor would time them out very quickly leading to + unnecessary retries meaning more load on the network. Fixes bug 40694; + bugfix on 0.3.5.1-alpha. + + o Major bugfixes (OSX): + - Fix coarse-time computation on Apple platforms (like Mac M1) where + the Mach absolute time ticks do not correspond directly to + nanoseconds. Previously, we computed our shift value wrong, which + led us to give incorrect timing results. Fixes bug 40684; bugfix + on 0.3.3.1-alpha. + + o Major bugfixes (relay): + - Improve security of our DNS cache by randomly clipping the TTL + value. TROVE-2021-009. Fixes bug 40674; bugfix on 0.3.5.1-alpha. + + o Minor feature (Mac and iOS build): + - Change how combine_libs works on Darwin like platforms to make + sure we don't include any `__.SYMDEF` and `__.SYMDEF SORTED` + symbols on the archive before we repack and run ${RANLIB} on the + archive. This fixes a build issue with recent Xcode versions on + Mac Silicon and iOS. Closes ticket 40683. + + o Minor feature (metrics): + - Add various congestion control counters to the MetricsPort. Closes + ticket 40708. + + o Minor feature (performance): + - Bump the maximum amount of CPU that can be used from 16 to 128. Note + that NumCPUs torrc option overrides this hardcoded maximum. Fixes bug + 40703; bugfix on 0.3.5.1-alpha. + + o Minor feature (relay): + - Make an hardcoded value for the maximum of per CPU tasks into a + consensus parameter. + - Two new consensus parameters are added to control the wait time in + queue of the onionskins. One of them is the torrc + MaxOnionQueueDelay options which supersedes the consensus + parameter. Closes ticket 40704. + + o Minor feature (relay, DoS): + - Apply circuit creation anti-DoS defenses if the outbound circuit + max cell queue size is reached too many times. This introduces two + new consensus parameters to control the queue size limit and + number of times allowed to go over that limit. Closes ticket 40680. + + o Minor feature (relay, metrics): + - Add DoS defenses counter to MetricsPort. + - Add congestion control RTT reset counter to MetricsPort. + - Add counters to the MetricsPort how many connections, per type, + are currently opened and how many were created. + - Add relay flags from the consensus to the MetricsPort. + - Add total number of opened circuits to MetricsPort. + - Add total number of streams seen by an Exit to the MetricsPort. + - Add traffic stats as in number of read/written bytes in total. + - Related to ticket 40194. + + o Minor features (fallbackdir): + - Regenerate fallback directories generated on November 10, 2022. + + o Minor features (geoip data): + - Update the geoip files to match the IPFire Location Database, as + retrieved on 2022/11/10. + + o Minor bugfixes (authorities, sandbox): + - Allow to write file my-consensus-<flavor-name> to disk when + sandbox is activated. Fixes bug 40663; bugfix on 0.3.5.1-alpha. + + o Minor bugfixes (dirauth): + - Directory authorities stop voting a consensus "Measured" weight + for relays with the Authority flag. Now these relays will be + considered unmeasured, which should reserve their bandwidth for + their dir auth role and minimize distractions from other roles. In + place of the "Measured" weight, they now include a + "MeasuredButAuthority" weight (not used by anything) so the + bandwidth authority's opinion on this relay can be recorded for + posterity. Lastly, remove the AuthDirDontVoteOnDirAuthBandwidth + torrc option which never worked right. Fixes bugs 40698 and 40700; + bugfix on 0.4.7.2-alpha. + + o Minor bugfixes (onion service client): + - A collapsing onion service circuit should be seen as an + "unreachable" error so it can be retried. Fixes bug 40692; bugfix + on 0.3.5.1-alpha. + + o Minor bugfixes (onion service): + - Make the service retry a rendezvous if the circuit is being + repurposed for measurements. Fixes bug 40696; bugfix + on 0.3.5.1-alpha. + + o Minor bugfixes (relay overload statistics): + - Count total create cells vs dropped create cells properly, when + assessing if our fraction of dropped cells is too high. We only + count non-client circuits in the denominator, but we would include + client circuits in the numerator, leading to surprising log lines + claiming that we had dropped more than 100% of incoming create + cells. Fixes bug 40673; bugfix on 0.4.7.1-alpha. + + o Code simplification and refactoring (bridges): + - Remove unused code related to ExtPort connection ID. Fixes bug + 40648; bugfix on 0.3.5.1-alpha. + + +Changes in version 0.4.7.10 - 2022-08-12 + This version updates the geoip cache that we generate from IPFire location + database to use the August 9th, 2022 one. Everyone MUST update to this + latest release else circuit path selection and relay metrics are badly + affected. + + o Major bugfixes (geoip data): + - IPFire informed us on August 12th that databases generated after + (including) August 10th did not have proper ARIN network allocations. We + are updating the database to use the one generated on August 9th, 2022. + Fixes bug 40658; bugfix on 0.4.7.9. + + +Changes in version 0.4.7.9 - 2022-08-11 + This version contains several major fixes aimed at reducing memory pressure on + relays and possible side-channel. It also contains a major bugfix related to + congestion control also aimed at reducing memory pressure on relays. + Finally, there is last one major bugfix related to Vanguard L2 layer node + selection. + + We strongly recommend to upgrade to this version especially for Exit relays + in order to help the network defend against this ongoing DDoS. + + o Major bugfixes (congestion control): + - Implement RFC3742 Limited Slow Start. Congestion control was + overshooting the congestion window during slow start, particularly + for onion service activity. With this fix, we now update the + congestion window more often during slow start, as well as dampen + the exponential growth when the congestion window grows above a + capping parameter. This should reduce the memory increases guard + relays were seeing, as well as allow us to set lower queue limits + to defend against ongoing DoS attacks. Fixes bug 40642; bugfix + on 0.4.7.5-alpha. + + o Major bugfixes (relay): + - Remove OR connections btrack subsystem entries when the connections + close normally. Before this, we would only remove the entry on error and + thus leaking memory for each normal OR connections. Fixes bug 40604; + bugfix on 0.4.0.1-alpha. + - Stop sending TRUNCATED cell and instead close the circuit from which we + received a DESTROY cell. This makes every relay in the circuit path to + stop queuing cells. Fixes bug 40623; bugfix on 0.1.0.2-rc. + + o Major bugfixes (vanguards): + - We had omitted some checks for whether our vanguards (second layer + guards from proposal 333) overlapped. Now make sure to pick each + of them to be independent. Also, change the design to allow them + to come from the same family. Fixes bug 40639; bugfix + on 0.4.7.1-alpha. + + o Minor features (dirauth): + - Add a torrc option to control the Guard flag bandwidth threshold + percentile. Closes ticket 40652. + - Add an AuthDirVoteGuard torrc option that can allow authorities to + assign the Guard flag to the given fingerprints/country code/IPs. + This is a needed feature mostly for defense purposes in case a DoS + hits the network and relay start losing the Guard flags too fast. + - Make UPTIME_TO_GUARANTEE_STABLE, MTBF_TO_GUARANTEE_STABLE, + TIME_KNOWN_TO_GUARANTEE_FAMILIAR WFU_TO_GUARANTEE_GUARD tunable + from torrc. + + o Minor features (fallbackdir): + - Regenerate fallback directories generated on August 11, 2022. + + o Minor features (geoip data): + - Update the geoip files to match the IPFire Location Database, as + retrieved on 2022/08/11. + + o Minor bugfixes (congestion control): + - Add a check for an integer underflow condition that might happen + in cases where the system clock is stopped, the ORconn is blocked, + and the endpoint sends more than a congestion window worth of non- + data control cells at once. This would cause a large congestion + window to be calculated instead of a small one. No security + impact. Fixes bug 40644; bugfix on 0.4.7.5-alpha. + + o Minor bugfixes (defense in depth): + - Change a test in the netflow padding code to make it more + _obviously_ safe against remotely triggered crashes. (It was safe + against these before, but not obviously so.) Fixes bug 40645; + bugfix on 0.3.1.1-alpha. + + o Minor bugfixes (relay): + - Do not propagate either forward or backward a DESTROY remote reason when + closing a circuit in order to avoid a possible side channel. Fixes bug + 40649; bugfix on 0.1.2.4-alpha. + + Changes in version 0.4.7.8 - 2022-06-17 This version fixes several bugfixes including a High severity security issue categorized as a Denial of Service. Everyone running an earlier version diff --git a/ReleaseNotes b/ReleaseNotes index ae90f71510..4b5050d875 100644 --- a/ReleaseNotes +++ b/ReleaseNotes @@ -2,6 +2,410 @@ This document summarizes new features and bugfixes in each stable release of Tor. If you want to see more detailed descriptions of the changes in each development snapshot, see the ChangeLog file. +Changes in version 0.4.7.16 - 2023-11-03 + We are releasing today a fix for a high security issue, TROVE-2023-004, that + is affecting relays. Please upgrade as soon as posssible. + + o Major bugfixes (TROVE-2023-004, relay): + - Mitigate an issue when Tor compiled with OpenSSL can crash during + handshake with a remote relay. Fixes bug 40874; bugfix + on 0.2.7.2-alpha. + + o Minor features (fallbackdir): + - Regenerate fallback directories generated on November 03, 2023. + + o Minor features (geoip data): + - Update the geoip files to match the IPFire Location Database, as + retrieved on 2023/11/03. + + +Changes in version 0.4.7.15 - 2023-09-18 + This version contains an important fix for onion service regarding congestion + control and its reliability. Apart from that, very minor bugfixes. We + strongly recommend all onion service operators to update immediately. + + o Major bugfixes (onion service): + - Fix a reliability issue where services were expiring their + introduction points every consensus update. This caused + connectivity issues for clients caching the old descriptor and + intro points. Bug reported and fixed by gitlab user + @hyunsoo.kim676. Fixes bug 40858; bugfix on 0.4.7.5-alpha. + + o Minor features (fallbackdir): + - Regenerate fallback directories generated on September 18, 2023. + + o Minor features (geoip data): + - Update the geoip files to match the IPFire Location Database, as + retrieved on 2023/09/18. + + o Minor features (testing): + - Enable Doxygen and Stem tests for 0.4.8 and clean-up some logic + for handling versions of Tor that are no longer supported. Closes + ticket 40859. + + o Minor bugfixes (compression): + - Right after compression/decompression work is done, check for + errors. Before this, we would consider compression bomb before + that and then looking for errors leading to false positive on that + log warning. Fixes bug 40739; bugfix on 0.3.5.1-alpha. Patch + by "cypherpunks". + + o Minor bugfixes (compression, zstd): + - Use less frightening language and lower the log-level of our run- + time ABI compatibility check message in our Zstd compression + subsystem. Fixes bug 40815; bugfix on 0.4.3.1-alpha. + + +Changes in version 0.4.7.14 - 2023-07-26 + This version contains several minor fixes and one major bugfix affecting + vanguards (onion service). As usual, we recommend upgrading to this version + as soon as possible. + + o Major bugfixes (vanguards): + - Rotate to a new L2 vanguard whenever an existing one loses the + Stable or Fast flag. Previously, we would leave these relays in + the L2 vanguard list but never use them, and if all of our + vanguards end up like this we wouldn't have any middle nodes left + to choose from so we would fail to make onion-related circuits. + Fixes bug 40805; bugfix on 0.4.7.1-alpha. + + o Minor feature (CI): + - Update CI to use Debian Bullseye for runners. + + o Minor feature (lzma): + - Fix compiler warnings for liblzma >= 5.3.1. Closes ticket 40741. + + o Minor features (directory authorities): + - Directory authorities now include their AuthDirMaxServersPerAddr + config option in the consensus parameter section of their vote. + Now external tools can better predict how they will behave. + Implements ticket 40753. + + o Minor features (fallbackdir): + - Regenerate fallback directories generated on July 26, 2023. + + o Minor features (geoip data): + - Update the geoip files to match the IPFire Location Database, as + retrieved on 2023/07/26. + + o Minor bugfix (relay, logging): + - The wrong max queue cell size was used in a protocol warning + logging statement. Fixes bug 40745; bugfix on 0.4.7.1-alpha. + + o Minor bugfixes (compilation): + - Fix all -Werror=enum-int-mismatch warnings. No behavior change. + Fixes bug 40824; bugfix on 0.3.5.1-alpha. + + o Minor bugfixes (metrics): + - Decrement hs_intro_established_count on introduction circuit + close. Fixes bug 40751; bugfix on 0.4.7.12. + + o Minor bugfixes (sandbox): + - Allow membarrier for the sandbox. And allow rt_sigprocmask when + compiled with LTTng. Fixes bug 40799; bugfix on 0.3.5.1-alpha. + + +Changes in version 0.4.7.13 - 2023-01-12 + This version contains three major bugfixes, two for relays and one for + client being a security fix, TROVE-2022-002. We have added, for Linux, the + support for IP_BIND_ADDRESS_NO_PORT for relays using OutboundBindAddress. + We strongly recommend to upgrade to this version considering the important + congestion control fix detailed below. + + o Major bugfixes (congestion control): + - Avoid incrementing the congestion window when the window is not + fully in use. Thia prevents overshoot in cases where long periods + of low activity would allow our congestion window to grow, and + then get followed by a burst, which would cause queue overload. + Also improve the increment checks for RFC3742. Fixes bug 40732; + bugfix on 0.4.7.5-alpha. + + o Major bugfixes (relay): + - When opening a channel because of a circuit request that did not + include an Ed25519 identity, record the Ed25519 identity that we + actually received, so that we can use the channel for other + circuit requests that _do_ list an Ed25519 identity. (Previously + we had code to record this identity, but a logic bug caused it to + be disabled.) Fixes bug 40563; bugfix on 0.3.0.1-alpha. Patch + from "cypherpunks". + + o Major bugfixes (TROVE-2022-002, client): + - The SafeSocks option had its logic inverted for SOCKS4 and + SOCKS4a. It would let the unsafe SOCKS4 pass but not the safe + SOCKS4a one. This is TROVE-2022-002 which was reported on + Hackerone by "cojabo". Fixes bug 40730; bugfix on 0.3.5.1-alpha. + + o Minor feature (authority): + - Reject 0.4.6.x series at the authority level. Closes ticket 40664. + + o Minor features (fallbackdir): + - Regenerate fallback directories generated on January 12, 2023. + + o Minor features (geoip data): + - Update the geoip files to match the IPFire Location Database, as + retrieved on 2023/01/12. + + o Minor features (relays): + - Set the Linux-specific IP_BIND_ADDRESS_NO_PORT option on outgoing + sockets, allowing relays using OutboundBindAddress to make more + outgoing connections than ephemeral ports, as long as they are to + separate destinations. Related to issue 40597; patch by Alex + Xu (Hello71). + + o Minor bugfixes (relay, metrics): + - Fix typo in a congestion control label on the MetricsPort. Fixes + bug 40727; bugfix on 0.4.7.12. + + o Minor bugfixes (sandbox, authority): + - With the sandbox enabled, allow to write "my-consensus- + {ns|microdesc}" and to rename them as well. Fixes bug 40729; + bugfix on 0.3.5.1-alpha. + + o Code simplifications and refactoring: + - Rely on actual error returned by the kernel when choosing what + resource exhaustion to log. Fixes issue 40613; Fix + on tor-0.4.6.1-alpha. + + +Changes in version 0.4.7.12 - 2022-12-06 + This version contains a major change that is a new key for moria1. Also, new + metrics are exported on the MetricsPort for the congestion control + subsystem. + + o Directory authority changes (moria1): + - Rotate the relay identity key and v3 identity key for moria1. They + have been online for more than a decade and refreshing keys + periodically is good practice. Advertise new ports too, to avoid + confusion. Closes ticket 40722. + + o Minor feature (Congestion control metrics): + - Add additional metricsport relay metrics for congestion control. + Closes ticket 40724. + + o Minor features (fallbackdir): + - Regenerate fallback directories generated on December 06, 2022. + + o Minor features (geoip data): + - Update the geoip files to match the IPFire Location Database, as + retrieved on 2022/12/06. + + o Minor bugfixes (cpuworker, relay): + - Fix an off by one overload calculation on the number of CPUs being + used by our thread pool. Fixes bug 40719; bugfix on 0.3.5.1-alpha. + + +Changes in version 0.4.7.11 - 2022-11-10 + This version contains several major fixes aimed at helping defend against + network denial of service. It is also extending drastically the MetricsPort + for relays to help us gather more internal data to investigate performance + and attacks. + + We strongly recommend to upgrade to this version especially for Exit relays + in order to help the network defend against this ongoing DDoS. + + o Directory authority changes (dizum, Faravahar): + - Change dizum IP address. Closes ticket 40687. + - Remove Faravahar until its operator, Sina, set it back up online + outside of Team Cymru network. Closes ticket 40688. + + o Major bugfixes (geoip data): + - IPFire informed us on August 12th that databases generated after + (including) August 10th did not have proper ARIN network + allocations. We are updating the database to use the one generated + on August 9th, 2022. Fixes bug 40658; bugfix on 0.4.5.13. + + o Major bugfixes (onion service): + - Set a much higher circuit build timeout for opened client rendezvous + circuit. Before this, tor would time them out very quickly leading to + unnecessary retries meaning more load on the network. Fixes bug 40694; + bugfix on 0.3.5.1-alpha. + + o Major bugfixes (OSX): + - Fix coarse-time computation on Apple platforms (like Mac M1) where + the Mach absolute time ticks do not correspond directly to + nanoseconds. Previously, we computed our shift value wrong, which + led us to give incorrect timing results. Fixes bug 40684; bugfix + on 0.3.3.1-alpha. + + o Major bugfixes (relay): + - Improve security of our DNS cache by randomly clipping the TTL + value. TROVE-2021-009. Fixes bug 40674; bugfix on 0.3.5.1-alpha. + + o Minor feature (Mac and iOS build): + - Change how combine_libs works on Darwin like platforms to make + sure we don't include any `__.SYMDEF` and `__.SYMDEF SORTED` + symbols on the archive before we repack and run ${RANLIB} on the + archive. This fixes a build issue with recent Xcode versions on + Mac Silicon and iOS. Closes ticket 40683. + + o Minor feature (metrics): + - Add various congestion control counters to the MetricsPort. Closes + ticket 40708. + + o Minor feature (performance): + - Bump the maximum amount of CPU that can be used from 16 to 128. Note + that NumCPUs torrc option overrides this hardcoded maximum. Fixes bug + 40703; bugfix on 0.3.5.1-alpha. + + o Minor feature (relay): + - Make an hardcoded value for the maximum of per CPU tasks into a + consensus parameter. + - Two new consensus parameters are added to control the wait time in + queue of the onionskins. One of them is the torrc + MaxOnionQueueDelay options which supersedes the consensus + parameter. Closes ticket 40704. + + o Minor feature (relay, DoS): + - Apply circuit creation anti-DoS defenses if the outbound circuit + max cell queue size is reached too many times. This introduces two + new consensus parameters to control the queue size limit and + number of times allowed to go over that limit. Closes ticket 40680. + + o Minor feature (relay, metrics): + - Add DoS defenses counter to MetricsPort. + - Add congestion control RTT reset counter to MetricsPort. + - Add counters to the MetricsPort how many connections, per type, + are currently opened and how many were created. + - Add relay flags from the consensus to the MetricsPort. + - Add total number of opened circuits to MetricsPort. + - Add total number of streams seen by an Exit to the MetricsPort. + - Add traffic stats as in number of read/written bytes in total. + - Related to ticket 40194. + + o Minor features (fallbackdir): + - Regenerate fallback directories generated on November 10, 2022. + + o Minor features (geoip data): + - Update the geoip files to match the IPFire Location Database, as + retrieved on 2022/11/10. + + o Minor bugfixes (authorities, sandbox): + - Allow to write file my-consensus-<flavor-name> to disk when + sandbox is activated. Fixes bug 40663; bugfix on 0.3.5.1-alpha. + + o Minor bugfixes (dirauth): + - Directory authorities stop voting a consensus "Measured" weight + for relays with the Authority flag. Now these relays will be + considered unmeasured, which should reserve their bandwidth for + their dir auth role and minimize distractions from other roles. In + place of the "Measured" weight, they now include a + "MeasuredButAuthority" weight (not used by anything) so the + bandwidth authority's opinion on this relay can be recorded for + posterity. Lastly, remove the AuthDirDontVoteOnDirAuthBandwidth + torrc option which never worked right. Fixes bugs 40698 and 40700; + bugfix on 0.4.7.2-alpha. + + o Minor bugfixes (onion service client): + - A collapsing onion service circuit should be seen as an + "unreachable" error so it can be retried. Fixes bug 40692; bugfix + on 0.3.5.1-alpha. + + o Minor bugfixes (onion service): + - Make the service retry a rendezvous if the circuit is being + repurposed for measurements. Fixes bug 40696; bugfix + on 0.3.5.1-alpha. + + o Minor bugfixes (relay overload statistics): + - Count total create cells vs dropped create cells properly, when + assessing if our fraction of dropped cells is too high. We only + count non-client circuits in the denominator, but we would include + client circuits in the numerator, leading to surprising log lines + claiming that we had dropped more than 100% of incoming create + cells. Fixes bug 40673; bugfix on 0.4.7.1-alpha. + + o Code simplification and refactoring (bridges): + - Remove unused code related to ExtPort connection ID. Fixes bug + 40648; bugfix on 0.3.5.1-alpha. + + +Changes in version 0.4.7.10 - 2022-08-12 + This version updates the geoip cache that we generate from IPFire location + database to use the August 9th, 2022 one. Everyone MUST update to this + latest release else circuit path selection and relay metrics are badly + affected. + + o Major bugfixes (geoip data): + - IPFire informed us on August 12th that databases generated after + (including) August 10th did not have proper ARIN network allocations. We + are updating the database to use the one generated on August 9th, 2022. + Fixes bug 40658; bugfix on 0.4.7.9. + + +Changes in version 0.4.7.9 - 2022-08-11 + This version contains several major fixes aimed at reducing memory pressure on + relays and possible side-channel. It also contains a major bugfix related to + congestion control also aimed at reducing memory pressure on relays. + Finally, there is last one major bugfix related to Vanguard L2 layer node + selection. + + We strongly recommend to upgrade to this version especially for Exit relays + in order to help the network defend against this ongoing DDoS. + + o Major bugfixes (congestion control): + - Implement RFC3742 Limited Slow Start. Congestion control was + overshooting the congestion window during slow start, particularly + for onion service activity. With this fix, we now update the + congestion window more often during slow start, as well as dampen + the exponential growth when the congestion window grows above a + capping parameter. This should reduce the memory increases guard + relays were seeing, as well as allow us to set lower queue limits + to defend against ongoing DoS attacks. Fixes bug 40642; bugfix + on 0.4.7.5-alpha. + + o Major bugfixes (relay): + - Remove OR connections btrack subsystem entries when the connections + close normally. Before this, we would only remove the entry on error and + thus leaking memory for each normal OR connections. Fixes bug 40604; + bugfix on 0.4.0.1-alpha. + - Stop sending TRUNCATED cell and instead close the circuit from which we + received a DESTROY cell. This makes every relay in the circuit path to + stop queuing cells. Fixes bug 40623; bugfix on 0.1.0.2-rc. + + o Major bugfixes (vanguards): + - We had omitted some checks for whether our vanguards (second layer + guards from proposal 333) overlapped. Now make sure to pick each + of them to be independent. Also, change the design to allow them + to come from the same family. Fixes bug 40639; bugfix + on 0.4.7.1-alpha. + + o Minor features (dirauth): + - Add a torrc option to control the Guard flag bandwidth threshold + percentile. Closes ticket 40652. + - Add an AuthDirVoteGuard torrc option that can allow authorities to + assign the Guard flag to the given fingerprints/country code/IPs. + This is a needed feature mostly for defense purposes in case a DoS + hits the network and relay start losing the Guard flags too fast. + - Make UPTIME_TO_GUARANTEE_STABLE, MTBF_TO_GUARANTEE_STABLE, + TIME_KNOWN_TO_GUARANTEE_FAMILIAR WFU_TO_GUARANTEE_GUARD tunable + from torrc. + + o Minor features (fallbackdir): + - Regenerate fallback directories generated on August 11, 2022. + + o Minor features (geoip data): + - Update the geoip files to match the IPFire Location Database, as + retrieved on 2022/08/11. + + o Minor bugfixes (congestion control): + - Add a check for an integer underflow condition that might happen + in cases where the system clock is stopped, the ORconn is blocked, + and the endpoint sends more than a congestion window worth of non- + data control cells at once. This would cause a large congestion + window to be calculated instead of a small one. No security + impact. Fixes bug 40644; bugfix on 0.4.7.5-alpha. + + o Minor bugfixes (defense in depth): + - Change a test in the netflow padding code to make it more + _obviously_ safe against remotely triggered crashes. (It was safe + against these before, but not obviously so.) Fixes bug 40645; + bugfix on 0.3.1.1-alpha. + + o Minor bugfixes (relay): + - Do not propagate either forward or backward a DESTROY remote reason when + closing a circuit in order to avoid a possible side channel. Fixes bug + 40649; bugfix on 0.1.2.4-alpha. + + Changes in version 0.4.7.8 - 2022-06-17 This version fixes several bugfixes including a High severity security issue categorized as a Denial of Service. Everyone running an earlier version diff --git a/changes/bug40563 b/changes/bug40563 deleted file mode 100644 index e7a3deec6d..0000000000 --- a/changes/bug40563 +++ /dev/null @@ -1,8 +0,0 @@ - o Major bugfixes (relay): - - When opening a channel because of a circuit request that did not - include an Ed25519 identity, record the Ed25519 identity that we - actually received, so that we can use the channel for other circuit - requests that _do_ list an Ed25519 identity. - (Previously we had code to record this identity, but a logic bug - caused it to be disabled.) Fixes bug 40563; bugfix on 0.3.0.1-alpha. - Patch from "cypherpunks". diff --git a/changes/bug40639 b/changes/bug40639 deleted file mode 100644 index d975e9ad22..0000000000 --- a/changes/bug40639 +++ /dev/null @@ -1,5 +0,0 @@ - o Major bugfixes (vanguards): - - We had omitted some checks for whether our vanguards (second layer - guards from proposal 333) overlapped. Now make sure to pick each - of them to be independent. Also, change the design to allow them to - come from the same family. Fixes bug 40639; bugfix on 0.4.7.1-alpha. diff --git a/changes/bug40642 b/changes/bug40642 deleted file mode 100644 index f50d87e031..0000000000 --- a/changes/bug40642 +++ /dev/null @@ -1,9 +0,0 @@ - o Major bugfixes (congestion control): - - Implement RFC3742 Limited Slow Start. Congestion control was - overshooting the congestion window during slow start, particularly for - onion service activity. With this fix, we now update the congestion - window more often during slow start, as well as dampen the exponential - growth when the congestion window grows above a capping parameter. - This should reduce the memory increases guard relays were seeing, as - well as allow us to set lower queue limits to defend against - ongoing DoS attacks. Fixes bug 40642; bugfix on 0.4.7.5-alpha. diff --git a/changes/bug40644 b/changes/bug40644 deleted file mode 100644 index a27c63ede2..0000000000 --- a/changes/bug40644 +++ /dev/null @@ -1,8 +0,0 @@ - o Minor bugfixes (congestion control): - - Add a check for an integer underflow condition that might - happen in cases where the system clock is stopped, the - ORconn is blocked, and the endpoint sends more than a - congestion window worth of non-data control cells at once. - This would cause a large congestion window to be calculated - instead of a small one. No security impact. Fixes bug 40644; - bugfix on 0.4.7.5-alpha. diff --git a/changes/bug40645 b/changes/bug40645 deleted file mode 100644 index 044d5b67d2..0000000000 --- a/changes/bug40645 +++ /dev/null @@ -1,5 +0,0 @@ - o Minor bugfixes (defense in depth): - - Change a test in the netflow padding code to make it more - _obviously_ safe against remotely triggered crashes. - (It was safe against these before, but not obviously so.) - Fixes bug 40645; bugfix on 0.3.1.1-alpha. diff --git a/changes/bug40673 b/changes/bug40673 deleted file mode 100644 index 1bbf42649b..0000000000 --- a/changes/bug40673 +++ /dev/null @@ -1,7 +0,0 @@ - o Minor bugfixes (relay overload statistics): - - Count total create cells vs dropped create cells properly, when - assessing if our fraction of dropped cells is too high. We only - count non-client circuits in the denominator, but we would include - client circuits in the numerator, leading to surprising log lines - claiming that we had dropped more than 100% of incoming create - cells. Fixes bug 40673; bugfix on 0.4.7.1-alpha. diff --git a/changes/bug40684 b/changes/bug40684 deleted file mode 100644 index 8c751ede2c..0000000000 --- a/changes/bug40684 +++ /dev/null @@ -1,6 +0,0 @@ - o Major bugfixes (OSX): - - Fix coarse-time computation on Apple platforms (like Mac M1) where - the Mach absolute time ticks do not correspond directly to - nanoseconds. Previously, we computed our shift value wrong, which - led us to give incorrect timing results. - Fixes bug 40684; bugfix on 0.3.3.1-alpha. diff --git a/changes/bug40698 b/changes/bug40698 deleted file mode 100644 index 98ddd4f968..0000000000 --- a/changes/bug40698 +++ /dev/null @@ -1,11 +0,0 @@ - o Minor bugfixes (dirauth): - - Directory authorities stop voting a consensus "Measured" weight - for relays with the Authority flag. Now these relays will be - considered unmeasured, which should reserve their bandwidth - for their dir auth role and minimize distractions from other - roles. In place of the "Measured" weight, they now include a - "MeasuredButAuthority" weight (not used by anything) so the - bandwidth authority's opinion on this relay can be recorded for - posterity. Lastly, remove the AuthDirDontVoteOnDirAuthBandwidth - torrc option which never worked right. Fixes bugs 40698 and 40700; - bugfix on 0.4.7.2-alpha. diff --git a/changes/bug40732 b/changes/bug40732 deleted file mode 100644 index f2388e7e8d..0000000000 --- a/changes/bug40732 +++ /dev/null @@ -1,7 +0,0 @@ - o Major bugfixes (congestion control): - - Avoid incrementing the congestion window when the window is not - fully in use. Thia prevents overshoot in cases where long periods - of low activity would allow our congestion window to grow, and - then get followed by a burst, which would cause queue overload. - Also improve the increment checks for RFC3742. Fixes bug 40732; - bugfix on 0.4.7.5-alpha. diff --git a/changes/bug40751 b/changes/bug40751 deleted file mode 100644 index baa5e90397..0000000000 --- a/changes/bug40751 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor bugfixes (metrics): - - Decrement hs_intro_established_count on introduction circuit close. Fixes - bug 40751; bugfix on 0.4.7.12. diff --git a/changes/bug40805 b/changes/bug40805 deleted file mode 100644 index bed27c5e43..0000000000 --- a/changes/bug40805 +++ /dev/null @@ -1,7 +0,0 @@ - o Major bugfixes (vanguards): - - Rotate to a new L2 vanguard whenever an existing one loses the - Stable or Fast flag. Previously, we would leave these relays in the - L2 vanguard list but never use them, and if all of our vanguards - end up like this we wouldn't have any middle nodes left to choose - from so we would fail to make onion-related circuits. Fixes bug - 40805; bugfix on 0.4.7.1-alpha. diff --git a/changes/bug40858 b/changes/bug40858 deleted file mode 100644 index 4b9d85616e..0000000000 --- a/changes/bug40858 +++ /dev/null @@ -1,6 +0,0 @@ - o Major bugfixes (onion service): - - Fix a reliability issue where services were expiring their - introduction points every consensus update. This caused connectivity - issues for clients caching the old descriptor and intro points. Bug - reported and fixed by gitlab user @hyunsoo.kim676. Fixes bug 40858; - bugfix on 0.4.7.5-alpha. diff --git a/changes/fallbackdirs-2022-08-11 b/changes/fallbackdirs-2022-08-11 deleted file mode 100644 index 21200700ad..0000000000 --- a/changes/fallbackdirs-2022-08-11 +++ /dev/null @@ -1,2 +0,0 @@ - o Minor features (fallbackdir): - - Regenerate fallback directories generated on August 11, 2022. diff --git a/changes/fallbackdirs-2022-11-10 b/changes/fallbackdirs-2022-11-10 deleted file mode 100644 index 64df9c5f10..0000000000 --- a/changes/fallbackdirs-2022-11-10 +++ /dev/null @@ -1,2 +0,0 @@ - o Minor features (fallbackdir): - - Regenerate fallback directories generated on November 10, 2022. diff --git a/changes/fallbackdirs-2022-12-06 b/changes/fallbackdirs-2022-12-06 deleted file mode 100644 index 17daf63f53..0000000000 --- a/changes/fallbackdirs-2022-12-06 +++ /dev/null @@ -1,2 +0,0 @@ - o Minor features (fallbackdir): - - Regenerate fallback directories generated on December 06, 2022. diff --git a/changes/fallbackdirs-2023-01-12 b/changes/fallbackdirs-2023-01-12 deleted file mode 100644 index e3788a16ae..0000000000 --- a/changes/fallbackdirs-2023-01-12 +++ /dev/null @@ -1,2 +0,0 @@ - o Minor features (fallbackdir): - - Regenerate fallback directories generated on January 12, 2023. diff --git a/changes/fallbackdirs-2023-07-26 b/changes/fallbackdirs-2023-07-26 deleted file mode 100644 index 131d76339a..0000000000 --- a/changes/fallbackdirs-2023-07-26 +++ /dev/null @@ -1,2 +0,0 @@ - o Minor features (fallbackdir): - - Regenerate fallback directories generated on July 26, 2023. diff --git a/changes/fallbackdirs-2023-09-18 b/changes/fallbackdirs-2023-09-18 deleted file mode 100644 index be3ef1720f..0000000000 --- a/changes/fallbackdirs-2023-09-18 +++ /dev/null @@ -1,2 +0,0 @@ - o Minor features (fallbackdir): - - Regenerate fallback directories generated on September 18, 2023. diff --git a/changes/fallbackdirs-2023-11-03 b/changes/fallbackdirs-2023-11-03 deleted file mode 100644 index a6456a97e7..0000000000 --- a/changes/fallbackdirs-2023-11-03 +++ /dev/null @@ -1,2 +0,0 @@ - o Minor features (fallbackdir): - - Regenerate fallback directories generated on November 03, 2023. diff --git a/changes/geoip-2022-08-11 b/changes/geoip-2022-08-11 deleted file mode 100644 index aad2392f1f..0000000000 --- a/changes/geoip-2022-08-11 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor features (geoip data): - - Update the geoip files to match the IPFire Location Database, - as retrieved on 2022/08/11. diff --git a/changes/geoip-2022-08-12 b/changes/geoip-2022-08-12 deleted file mode 100644 index e8f282db01..0000000000 --- a/changes/geoip-2022-08-12 +++ /dev/null @@ -1,5 +0,0 @@ - o Major bugfixes (geoip data): - - IPFire informed us on August 12th that databases generated after - (including) August 10th did not have proper ARIN network allocations. We - are updating the database to use the one generated on August 9th, 2022. - Fixes bug 40658; bugfix on 0.4.5.13. diff --git a/changes/geoip-2022-11-10 b/changes/geoip-2022-11-10 deleted file mode 100644 index dce05f50c4..0000000000 --- a/changes/geoip-2022-11-10 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor features (geoip data): - - Update the geoip files to match the IPFire Location Database, - as retrieved on 2022/11/10. diff --git a/changes/geoip-2022-12-06 b/changes/geoip-2022-12-06 deleted file mode 100644 index f96e833e63..0000000000 --- a/changes/geoip-2022-12-06 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor features (geoip data): - - Update the geoip files to match the IPFire Location Database, - as retrieved on 2022/12/06. diff --git a/changes/geoip-2023-01-12 b/changes/geoip-2023-01-12 deleted file mode 100644 index 8378d34fbf..0000000000 --- a/changes/geoip-2023-01-12 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor features (geoip data): - - Update the geoip files to match the IPFire Location Database, - as retrieved on 2023/01/12. diff --git a/changes/geoip-2023-07-26 b/changes/geoip-2023-07-26 deleted file mode 100644 index f8e4feb573..0000000000 --- a/changes/geoip-2023-07-26 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor features (geoip data): - - Update the geoip files to match the IPFire Location Database, - as retrieved on 2023/07/26. diff --git a/changes/geoip-2023-09-18 b/changes/geoip-2023-09-18 deleted file mode 100644 index d09d9d4a53..0000000000 --- a/changes/geoip-2023-09-18 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor features (geoip data): - - Update the geoip files to match the IPFire Location Database, - as retrieved on 2023/09/18. diff --git a/changes/geoip-2023-11-03 b/changes/geoip-2023-11-03 deleted file mode 100644 index eedd3394ad..0000000000 --- a/changes/geoip-2023-11-03 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor features (geoip data): - - Update the geoip files to match the IPFire Location Database, - as retrieved on 2023/11/03. diff --git a/changes/ip_bind_address_no_port b/changes/ip_bind_address_no_port deleted file mode 100644 index 9c4f712a9e..0000000000 --- a/changes/ip_bind_address_no_port +++ /dev/null @@ -1,5 +0,0 @@ - o Minor features (relays): - - Set the Linux-specific IP_BIND_ADDRESS_NO_PORT option on outgoing - sockets, allowing relays using OutboundBindAddress to make more outgoing - connections than ephemeral ports, as long as they are to separate - destinations. Related to issue 40597; patch by Alex Xu (Hello71). diff --git a/changes/issue40613 b/changes/issue40613 deleted file mode 100644 index 76434beba2..0000000000 --- a/changes/issue40613 +++ /dev/null @@ -1,3 +0,0 @@ - o Code simplifications and refactoring: - - Rely on actual error returned by the kernel when choosing what resource - exhaustion to log. Fixes issue 40613; Fix on tor-0.4.6.1-alpha. diff --git a/changes/ticket40194 b/changes/ticket40194 deleted file mode 100644 index 9f3a4833cf..0000000000 --- a/changes/ticket40194 +++ /dev/null @@ -1,9 +0,0 @@ - o Minor feature (relay, metrics): - - Add counters to the MetricsPort how many connections, per type, are - currently opened and how many were created. Part of ticket 40194. - - Add total number of streams seen by an Exit to the MetricsPort. - - Add congestion control RTT reset counter to MetricsPort. - - Add DoS defenses counter to MetricsPort. - - Add relay flags from the consensus to the MetricsPort. - - Add total number of opened circuits to MetricsPort. - - Add traffic stats as in number of read/written bytes in total. diff --git a/changes/ticket40604 b/changes/ticket40604 deleted file mode 100644 index ec24a46e66..0000000000 --- a/changes/ticket40604 +++ /dev/null @@ -1,5 +0,0 @@ - o Major bugfixes (relay): - - Remove OR connections btrack subsystem entries when the connections - closes normally. Before this, we would only close it on error and thus - leaking memory for each normal OR connections. Fixes bug 40604; bugfix - on 0.4.0.1-alpha. diff --git a/changes/ticket40623 b/changes/ticket40623 deleted file mode 100644 index d2a0e7eaad..0000000000 --- a/changes/ticket40623 +++ /dev/null @@ -1,4 +0,0 @@ - o Major bugfixes (relay): - - Stop sending TRUNCATED cell and instead close the circuits which sends a - DESTROY cell so every relay in the circuit path can stop queuing cells. - Fixes bug 40623; bugfix on 0.1.0.2-rc. diff --git a/changes/ticket40648 b/changes/ticket40648 deleted file mode 100644 index a891e30204..0000000000 --- a/changes/ticket40648 +++ /dev/null @@ -1,3 +0,0 @@ - o Code simplification and refactoring (bridges): - - Remove unused code related to ExtPort connection ID. Fixes bug 40648; - bugfix on 0.3.5.1-alpha. diff --git a/changes/ticket40649 b/changes/ticket40649 deleted file mode 100644 index 28df58f106..0000000000 --- a/changes/ticket40649 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes (relay): - - Do not propagate either forward or backward a DESTROY remote reason when - closing a circuit so to avoid a possible side channel. Fixes bug 40649; - bugfix on 0.1.2.4-alpha. diff --git a/changes/ticket40652 b/changes/ticket40652 deleted file mode 100644 index ff9f4d0591..0000000000 --- a/changes/ticket40652 +++ /dev/null @@ -1,10 +0,0 @@ - o Minor features (dirauth): - - Add an AuthDirVoteGuard torrc option that can allow authorities to - assign the Guard flag to the given fingerprints/country code/IPs. This - is a needed feature mostly for defense purposes in case a DoS hits the - network and relay start losing the Guard flags too fast. - - Make UPTIME_TO_GUARANTEE_STABLE, MTBF_TO_GUARANTEE_STABLE, - TIME_KNOWN_TO_GUARANTEE_FAMILIAR WFU_TO_GUARANTEE_GUARD tunable from - torrc. - - Add a torrc option to control the Guard flag bandwidth threshold - percentile. Closes ticket 40652. diff --git a/changes/ticket40663 b/changes/ticket40663 deleted file mode 100644 index 3992d8e2b5..0000000000 --- a/changes/ticket40663 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor bugfixes (authorities, sandbox): - - Allow to write file my-consensus-<flavor-name> to disk when sandbox is - activated. Fixes bug 40663; bugfix on 0.3.5.1-alpha. diff --git a/changes/ticket40664 b/changes/ticket40664 deleted file mode 100644 index 729b6ff02a..0000000000 --- a/changes/ticket40664 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor feature (authority): - - Reject 0.4.6.x series at the authority level. Closes ticket 40664. - diff --git a/changes/ticket40674 b/changes/ticket40674 deleted file mode 100644 index b371cafcf0..0000000000 --- a/changes/ticket40674 +++ /dev/null @@ -1,3 +0,0 @@ - o Major bugfixes (relay): - - Improve security of our DNS cache by randomly clipping the TTL value. - TROVE-2021-009. Fixes bug 40674; bugfix on 0.3.5.1-alpha. diff --git a/changes/ticket40680 b/changes/ticket40680 deleted file mode 100644 index 1383844969..0000000000 --- a/changes/ticket40680 +++ /dev/null @@ -1,6 +0,0 @@ - o Minor feature (relay, DoS): - - Apply circuit creation anti-DoS defenses if the outbound circuit max cell - queue size is reached too many times. This introduces two new consensus - parameters to control the queue size limit and number of times allowed to - go over that limit. Close ticket 40680. - diff --git a/changes/ticket40683 b/changes/ticket40683 deleted file mode 100644 index 6df078ebae..0000000000 --- a/changes/ticket40683 +++ /dev/null @@ -1,6 +0,0 @@ - o Minor feature (Mac and iOS build): - - Change how combine_libs works on Darwin like platforms to - make sure we don't include any `__.SYMDEF` and `__.SYMDEF SORTED` - symbols on the archive before we repack and run ${RANLIB} on the - archive. This fixes a build issue with recent Xcode versions on - Mac Silicon and iOS. Closes ticket 40683. diff --git a/changes/ticket40687 b/changes/ticket40687 deleted file mode 100644 index e96119cf49..0000000000 --- a/changes/ticket40687 +++ /dev/null @@ -1,2 +0,0 @@ - o Directory authority changes (dizum): - - Change dizum IP address. Closes ticket 40687. diff --git a/changes/ticket40688 b/changes/ticket40688 deleted file mode 100644 index 79350cb836..0000000000 --- a/changes/ticket40688 +++ /dev/null @@ -1,3 +0,0 @@ - o Directory authority changes (Faravahar): - - Remove Faravahar until its operator, Sina, set it back up online outside - of Team Cymru network. Closes ticket 40688. diff --git a/changes/ticket40692 b/changes/ticket40692 deleted file mode 100644 index 8405486115..0000000000 --- a/changes/ticket40692 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor bugfixes (onion service client): - - A collapsing onion service circuit should be seen as an "unreachable" - error so it can be retried. Fixes bug 40692; bugfix on 0.3.5.1-alpha. diff --git a/changes/ticket40694 b/changes/ticket40694 deleted file mode 100644 index f17639cc27..0000000000 --- a/changes/ticket40694 +++ /dev/null @@ -1,5 +0,0 @@ - o Major bugfixes (onion service): - - Set a much higher circuit build timeout for opened client rendezvous - circuit. Before this, tor would time them out very quickly leading to many - unnecessary retries and thus more load on the network. Fixes bug 40694; - bugfix on 0.3.5.1-alpha. diff --git a/changes/ticket40696 b/changes/ticket40696 deleted file mode 100644 index a2c09f6a83..0000000000 --- a/changes/ticket40696 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor bugfixes (onion service): - - Make the service retry a rendezvous if the circuit is being repurposed for - measurements. Fixes bug 40696; bugfix on 0.3.5.1-alpha. diff --git a/changes/ticket40703 b/changes/ticket40703 deleted file mode 100644 index f005f8f851..0000000000 --- a/changes/ticket40703 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor feature (performance): - - Bump the maximum amount of CPU to use from 16 to 128. Note that NumCPUs - torrc option overrides this hardcoded maximum. Fixes bug 40703; bugfix on - 0.3.5.1-alpha. diff --git a/changes/ticket40704 b/changes/ticket40704 deleted file mode 100644 index b1a83488da..0000000000 --- a/changes/ticket40704 +++ /dev/null @@ -1,6 +0,0 @@ - o Minor feature (relay): - - Two new consensus parameters are added to control the wait time in queue - of the onionskins. One of them is the torrc MaxOnionQueueDelay options - which supersedes the consensus parameter. Closes ticket 40704. - - Change a hardcoded value for the maximum of per CPU tasks into a - consensus parameter. diff --git a/changes/ticket40708 b/changes/ticket40708 deleted file mode 100644 index 1c4a044a0b..0000000000 --- a/changes/ticket40708 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor feature (metrics): - - Add various congestion control counters to the MetricsPort. Closes ticket - 40708. diff --git a/changes/ticket40719 b/changes/ticket40719 deleted file mode 100644 index eec84dce0f..0000000000 --- a/changes/ticket40719 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor bugfixes (cpuworker, relay): - - Fix an off by one overload calculation on the number of CPUs being used by - our thread pool. Fixes bug 40719; bugfix on 0.3.5.1-alpha. diff --git a/changes/ticket40722 b/changes/ticket40722 deleted file mode 100644 index a9a9f520a9..0000000000 --- a/changes/ticket40722 +++ /dev/null @@ -1,5 +0,0 @@ - o Directory authority changes (moria1): - - Rotate the relay identity key and v3 identity key for moria1. They - have been online for more than a decade and refreshing keys - periodically is good practice. Advertise new ports too, to avoid - confusion. Closes ticket 40722. diff --git a/changes/ticket40724 b/changes/ticket40724 deleted file mode 100644 index aeb6f9ae8b..0000000000 --- a/changes/ticket40724 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor feature (Congestion control metrics): - - Add additional metricsport relay metrics for congestion control. - Closes ticket 40724. diff --git a/changes/ticket40727 b/changes/ticket40727 deleted file mode 100644 index ce462481f4..0000000000 --- a/changes/ticket40727 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor bugfixes (relay, metrics): - - Fix typo in a congestion control label on the MetricsPort. Fixes bug - 40727; bugfix on 0.4.7.12. diff --git a/changes/ticket40729 b/changes/ticket40729 deleted file mode 100644 index 1c2d43d14f..0000000000 --- a/changes/ticket40729 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor bugfixes (sandbox, authority): - - With the sandbox enabled, allow to write "my-consensus-{ns|microdesc}" and - to rename them as well. Fixes bug 40729; bugfix on 0.3.5.1-alpha. diff --git a/changes/ticket40730 b/changes/ticket40730 deleted file mode 100644 index f6d4c9de3b..0000000000 --- a/changes/ticket40730 +++ /dev/null @@ -1,5 +0,0 @@ - o Major bugfixes (TROVE-2022-002, client): - - The SafeSocks option had its logic inverted for SOCKS4 and SOCKS4a. It - would let the unsafe SOCKS4 pass but not the safe SOCKS4a one. This is - TROVE-2022-002 which was reported on Hackerone by "cojabo". Fixes bug - 40730; bugfix on 0.3.5.1-alpha. diff --git a/changes/ticket40739 b/changes/ticket40739 deleted file mode 100644 index d65c143c56..0000000000 --- a/changes/ticket40739 +++ /dev/null @@ -1,6 +0,0 @@ - o Minor bugfixes (compression): - - Right after compression/decompression work is done, check for errors. - Before this, we would consider compression bomb before that and then - looking for errors leading to false positive on that log warning. Fixes - bug 40739; bugfix on 0.3.5.1-alpha. Patch by "cypherpunks". - diff --git a/changes/ticket40741 b/changes/ticket40741 deleted file mode 100644 index 2a9f72489d..0000000000 --- a/changes/ticket40741 +++ /dev/null @@ -1,2 +0,0 @@ - o Minor feature (lzma): - - Fix compiler warnings for liblzma >= 5.3.1. Closes ticket 40741. diff --git a/changes/ticket40745 b/changes/ticket40745 deleted file mode 100644 index 988dbc5f33..0000000000 --- a/changes/ticket40745 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor bugfix (relay, logging): - - The wrong max queue cell size was used in a protocol warning logging - statement. Fixes bug 40745; bugfix on 0.4.7.1-alpha. diff --git a/changes/ticket40753 b/changes/ticket40753 deleted file mode 100644 index c5dc76b006..0000000000 --- a/changes/ticket40753 +++ /dev/null @@ -1,5 +0,0 @@ - o Minor features (directory authorities): - - Directory authorities now include their AuthDirMaxServersPerAddr - config option in the consensus parameter section of their vote. Now - external tools can better predict how they will behave. Implements - ticket 40753. diff --git a/changes/ticket40799 b/changes/ticket40799 deleted file mode 100644 index 4e2afe6e4b..0000000000 --- a/changes/ticket40799 +++ /dev/null @@ -1,6 +0,0 @@ - o Minor bugfixes (sandbox): - - Allow membarrier for the sandbox. And allow rt_sigprocmask when compiled - with LTTng. Fixes bug 40799; bugfix on 0.3.5.1-alpha. - - o Minor feature (CI): - - Update CI to use Debian Bullseye for runners. diff --git a/changes/ticket40815 b/changes/ticket40815 deleted file mode 100644 index 88129b7bb1..0000000000 --- a/changes/ticket40815 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes (compression, zstd): - - Use less frightening language and lower the log-level of our run-time ABI - compatibility check message in our Zstd compression subsystem. Fixes bug - 40815; bugfix on 0.4.3.1-alpha. diff --git a/changes/ticket40824 b/changes/ticket40824 deleted file mode 100644 index a4d389ddc2..0000000000 --- a/changes/ticket40824 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes (compilation): - - Fix all -Werror=enum-int-mismatch warnings. No behavior change. Fixes bug - 40824; bugfix on 0.3.5.1-alpha. - diff --git a/changes/ticket40859 b/changes/ticket40859 deleted file mode 100644 index a6cdaa9df7..0000000000 --- a/changes/ticket40859 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor features (testing): - - Enable Doxygen and Stem tests for 0.4.8 and clean-up some logic for - handling versions of Tor that are no longer supported. Closes ticket - 40859. diff --git a/changes/ticket40874 b/changes/ticket40874 deleted file mode 100644 index e1091f6b63..0000000000 --- a/changes/ticket40874 +++ /dev/null @@ -1,3 +0,0 @@ - o Major bugfixes (TROVE-2023-004, relay): - - Mitigate an issue when Tor compiled with OpenSSL can crash during - handshake with a remote relay. Fixes bug 40874; bugfix on 0.2.7.2-alpha. |